Security audit27th September 2014

Security design principles

The following eight design guidelines on security design were cre-ated by Salzter and Schroeder1. They encompass technical details 1 Bishop, Matt. Introduction to Com-

puter Security. Boston: Addison-Wesley,2006.

and human interaction that are used as a reference, with representat-ive annotations, at a very high level2: 2 http://wiki.cas.mcmaster.ca/index.

php/Biometric_Systems_and_Security_

Design_PrinciplesPrinciple of least privilege Give only those privileges that are necessaryin order to complete its task. This impacts efficiency. However,override procedures introduce loopholes.

Principle of fails-safe defaults Deny access unless given access. Thisimpacts productivity and may introduce red tape where authorisa-tions involve other people, which is more secure.

Principle of economy of mechanism Security mechanisms should be assimple as possible. Each channel must be encrypted and each statemust be protected. Though simplicity and ensuring encryption areorthogonal, in most production settings.

Principle of complete mediation All access to be checked to ensurethat it is allowed. Only privileged access otherwise checks arecumbersome.

Principle of open design Security of a mechanism should not dependon the secrecy of its design or implementation. Though security byobscurity is compelling.

Principle of separation of privilege A system should not grant permis-sion based on a single condition. Multi-factor authentication isuseful in context.

Principle of least common mechanism Mechanisms used to access re-sources should not be shared. For usable audit trails.

Principle of psychological acceptability Security mechanisms shouldnot make a resource more difficult to access than if the securitymechanism was not present. This contradicts everything else.

For example, every component is a security hazard,Attacks on biometric systems may be categorized by the specific

part of the design targeted.

Type 1 Fake biometric sensor

Type 2 Replay attacks

Type 3 Trojan horse program at feature extractor

Type 4 Real features replaced by synthetic features.

Type 5 Trojan horse program at matcher.

Type 6 Attacks modifying database of templates.

Type 7 Results overridden.

Stored

Template

SensorFeature

ExtractorMatcher

Device

Type 2 Type 4

Type 7

Type 8

Type 1

Type 3

Type 6

Type 5

Security audit

1. An audit proposal, that is proposed processes, should be in writ-ing preferably and against established standards. Some certifica-tion may be useful though not necessary. Information on checklistsand procedures to be used on site should be communicated early.

2. People make or break secure systems. Staff must be security-aware and follow processes, preferably based on their own initiat-ive. In the final analysis, all staff must be trained and be securityaware. However, if this is enforced according to best practices,the overheads will be extremely high and usability may drophindering performance.

3. A major emphasis should be on configuration, accessibility (forsystem administrators and all staff) and production systemsshould be locked-down to be audit-able.

4. Restricting foreign drives and removable storage is mostly unreas-onable as a directive. This should be related to legal enforcementand training and communicated by management. Where physicalfiles can be removed from the premises, so can documents. Thismay involve change management.

2

5. Preventive maintenance may involve training. Thorough docu-mentation is most important in context.

6. Enforceable guidelines should be documented.

Security certification

International Information Systems Security Certification Consor-tium’s (ISC2) Certified Information Systems Security Professional(CISSP) security domains, similar to those by Information SystemsAudit and Control Association’s Certified Information Systems Aud-itor expertise domains:

1. Access control3 3 http://www.kilala.nl/Sysadmin/

Images/CISSP_Summary_V1.1.pdf(a) Confidentiality, unauthorised information disclosure – integ-

rity, protecting data – availability, fault tolerance and recovery

(b) Identification – authorisation – accountability

(c) Controls. Administrative, preventive: hiring, detective: beha-vior – technical, preventive: biometrics, detective: audit logs –physical, preventive: locks, detective: cameras

(d) Rule based access control

2. Telecommunications and network security

(a) RAID. 0, striped, no fault tolerance – 1, mirrored, single diskfailure – 5, parity on all drives, single drive failure, requiresthree disks

(b) Redundant servers. RAID 1 mirroring.

(c) Network abuse. Class A, unauthorised access – Class B, non-business use – Class C, eavesdropping – Class D, denial ofservice – Class E, network intrusion, spoofing, backdoors –Class F, probing

3. Information security governance and risk management

(a) Levels. Public, unclassified– sensitive, but classified – private –confidential, some damage – secret, serious damage – top secret,grave danger

(b) Security awareness

(c) Losses

(d) Policies, standards and guidelines. Regulatory, by law, com-pliance and industry standard – advisory, not mandatory –informative, for knowledge

(e) Information policies, security policies, system security

3

(f) Roles. Senior management – Information Security Officer –Security Analyst – Owner – Custodian – End-user – Auditor

4. Software development security

5. Cryptography

6. Security architecture and design (applications and systems devel-opment)

(a) Conception. Policies – standards – threat vulnerabilities – legal– cost – etc.

(b) Initiation. Encryption – security specifications.

(c) Development. Incorporate security specifications – accesscontrol – verification.

(d) Implement. Security software

(e) Test. Security software and controls – documentation

(f) Maintain and change control. User requests – priorities – costsand interface – recreate & analyse problem – quality control –documentation – updates

(g) Configuration management

(h) Threats. Virus – worms – trojans – backdoor – covert channel

(i) Database. Granularity – aggregation – inference

7. Operations security

(a) Categories of controls. Preventive – detective – corrective –deterrent – application controls – transactional controls

(b) Administrative management. Separation of duties – leastprivilege – two-person control – rotation of duties – need toknow – employmee screening, checks

(c) Threats and vulnerabilities. Accidental loss – inappropriateactivity – illegal operations

(d) Operational assurance. Architecture – integrity – covert chan-nel analysis – trusted facility management – trusted recovery

8. Business continuity and disaster recovery planning

(a) Disaster recovery. Process continuity – recovery plan

(b) Continuity planning. Mutual aid – alternative service facility –multiple centers, dual sites

(c) Transaction redundancy. Electronic vaulting – remote journal-ing – database shadowing

9. Legal, regulations, investigations and compliance

(a) Evidence. Sufficient – reliable – permissible – preserved andidentifiable. Authentic – accurate – complete – convincing –admissible.

4

(b) Types of evidence. Primary, best – secondary, copies, notadmissible, oral – direct, proves fact by itself – conclusive –circumstantial – corroborative – hearsay

10. Physical (environmental) security: Audit trails

(a) Date and time stamps

(b) Successful or not, attempt

(c) Where the access was granted

(d) Who attempted access

(e) Who modified access privileges at supervisor level

Auditor qualification

1. minimum of five years of direct full-time security work experiencein two or more of the ten (ISC) information security domains

2. One year may be waived for having either a four-year college de-gree, a Master’s degree in Information Security, or for possessingone of a number of other certifications from other organizations

3. Attest to the truth of their assertions regarding professional experi-ence and accept the CISSP Code of Ethics.

4. Answer four questions regarding criminal history and relatedbackground

5. Have their qualifications endorsed by another CISSP in goodstanding.

5